IPsec Usability Enhancements

The IPsec Usability Enhancements feature introduces functionality that eases the configuration and monitoring of your IPsec virtual private network (VPN). Benefits of this feature include intelligent defaults for IPsec and Internet Key Exchange (IKE) and the ability to easily verify and troubleshoot IPsec VPNs.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for IPsec Usability Enhancements" section.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.An account on Cisco.com is not required.

Information About IPsec Usability Enhancements

IPsec Overview

IPsec is a framework of open standards developed by the Internet Engineering Task Force (IETF), which provides security for transmission of sensitive information over public networks. IPsec acts at the network layer, protecting and authenticating IP packets between participating IPsec devices (peers), such as Cisco routers.

IPsec provides secure tunnels between two peers. You may define which packets are considered sensitive and should be sent through these secure tunnels. You may also define the parameters that should be used to protect these sensitive packets by specifying characteristics of the tunnels. When an IPsec peer detects a sensitive packet, it sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer.

The VPN devices recognize the traffic, or sensitive packets, to detect. IPsec is either applied to the sensitive packet, the packet is bypassed, or the packet is dropped. Based on the traffic type, if IPsec is applied then IKE phase-1 is initiated.

Step 2: IKE Phase-1

There are three exchanges between the VPN devices to negotiate an IKE security policy and establish a secure channel.

During the first exchange, the VPN devices negotiate matching IKE transform sets to protect the IKE exchange resulting in establishing an Internet Security Association and Key Management Protocol (ISAKMP) policy to utilize. The ISAKMP policy consists of an encryption algorithm, a hash algorithm, an authentication algorithm, a Diffie-Hellman (DH) group, and a lifetime parameter.

The second exchange consists of a Diffie-Hellman exchange, which establishes a shared secret.

The third exchange authenticates peer identity. After the peers are authenticated, IKE phase-2 begins.

Step 3: IKE Phase-2

The VPN devices negotiate the IPsec security policy used to protect the IPsec data. IPsec transform sets are negotiated.

A transform set is a combination of algorithms and protocols that enact a security policy for network traffic. For more information on default transform sets, see the section "Verifying Default IPsec Transform-Sets." A VPN tunnel is ready to be established.

Step 4: Establishing the Tunnel—IPsec Session

The VPN devices apply security services to IPsec traffic and then transmit the IPsec data. Security associations (SAs) are exchanged between peers. The negotiated security services are applied to the tunnel traffic while the IPsec session is active.

Step 5: Terminating the Tunnel

The tunnel is torn down when an IPsec SA lifetime time-out occurs or if the packet counter is exceeded. The IPsec SA is removed.

How to Utilize IPsec Usability Enhancements

Verifying IKE Phase-1, ISAKMP, Default Policies

When IKE negotiation begins, the peers try to find a common policy, starting with the highest priority policy as specified on the remote peer. The peers negotiate the policy sets until there is a match. If peers have more than one policy set in common, the lowest priority number is used.

There are three groups of IKE phase-1, ISAKMP, policies as defined by policy priority ranges and behavior:

•Default ISAKMP policies, which are automatically enabled.

•User configured ISAKMP policies, which you may configure with the crypto isakmp policy command.

•Easy VPN (EzVPN) ISAKMP policies, which are made available during EzVPN configuration.

This section describes the three groups of ISAKMP policies, how they behave in relationship to one another, how to determine which policies are in use with the appropriate show command, and how to disable the default ISAKMP policies.

Default IKE Phase-1 Policies

There are eight default IKE phase-1, ISAKMP, policies supported (see Table 1) that are enabled automatically. If you have neither manually configured IKE policies with the crypto isakmp policy command nor disabled the default IKE policies with the no crypto isakmp default policy command, the default IKE policies will be used during peer IKE negotiations. You can verify that the default IKE policies are in use by issuing either the show crypto isakmp policy command or the show crypto isakmp default policy command.

The default IKE policies define the following policy set parameters:

•The priority, 65507-65514, where 65507 is the highest priority and 65514 is the lowest priority.

User Configured IKE Policies

You may configure IKE policies with the crypto isakmp policy command. User configured IKE policies are uniquely identified and configured with a priority number ranging from 1-10000, where 1 is the highest priority and 10000 the lowest priority.

Once you have configured one or more IKE policies with a priority of 1-10000:

•The user configured policies will be used during peer IKE negotiations.

•The default IKE policies will no longer used during peer IKE negotiations.

•The user configured policies may be displayed by issuing the show crypto isakmp policy command.

EzVPN ISAKMP Policies

If you have configured EzVPN (see Related Documents), the default EzVPN ISAKMP policies in use are uniquely identified with a priority number ranging from 65515-65535, where 65515 is the highest priority and 65535 is the lowest priority.

Once a user has configured EzVPN:

•The default EzVPN ISAKMP policies and the default IKE policies will be used during peer IKE negotiations.

•The EzVPN IKAKMP policies and the default IKE policies will be displayed by issuing the show crypto isakmp policy command.

•Default ISAKMP policies will be displayed by issuing the show crypto isakmp default policy command unless they have been disabled by issuing the no crypto isakmp default policy command.

SUMMARY STEPS

1. enable

2. show crypto isakmp default policy

3. configureterminal

4. no crypto isakmp default policy

DETAILED STEPS

Command or Action

Purpose

Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

show crypto isakmp default policy

Example:

Router# show crypto isakmp default policy

(Optional) Displays default ISAKMP policies if no policy with a priority of 1-10000 is configured.

The following example disables the default IKE policies then shows the resulting output of the show crypto isakmp default policy command, which is blank:

Router# configure terminal

Router(config)# no crypto isakmp default policy

Router(config)# exit

Router# show crypto isakmp default policy

Router#

!There is no output since the default IKE policies have been disabled.

The following is an example system log message that is generated whenever the default ISAKMP policies are in use:

%CRYPTO-6-IKMP_POLICY_DEFAULT: Using ISAKMP Default policies

Verifying Default IPsec Transform-Sets

A transform set represents a certain combination of security protocols and algorithms. During the IPsec SA negotiation, the peers agree to use a particular transform set for protecting a particular data flow.

During IPsec SA negotiations with IKE, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and is applied to the protected traffic as part of the IPsec SAs of both peers.

Default Transform Sets

A default transform set will be used by any crypto map or IPsec profile where no other transform set has been configured and if the following is true:

•The default transform sets have not been disabled with the no crypto ipsec default transform-set command.

•The crypto engine in use supports the encryption algorithm.

The two default transform sets each define an Encapsulation Security Protocol (ESP) encryption transform type and an ESP authentication transform type as shown in Table 2.

(Optional) Displays the default IPsec transform sets currently in use by IKE.

Step 3

configureterminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 4

no crypto ipsec default transform-set

Example:

Router(config)# no crypto ipsec default transform-set

(Optional) Disables the default IPsec transform sets.

Examples

The following example displays output from the show crypto ipsec default transform-set
command when the default transform sets are enabled, the default setting:

Router# show crypto ipsec default transform-set

Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }

will negotiate = { Transport, },

Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }

will negotiate = { Transport, },

The following example displays output from the show crypto ipsec default transform-set command when the default transform sets have been disabled with the no crypto ipsec default transform-set command.

Router(config)# no crypto ipsec default transform-set

Router(config)# exit

Router#

Router# show crypto ipsec default transform-set

! There is no output.

Router#

The following is an example system log message that is generated whenever IPsec SAs have negotiated with a default transform set:

%CRYPTO-5-IPSEC_DEFAULT_TRANSFORM: Using Default IPsec transform-set

Verifying and Troubleshooting IPsec VPNs

Perform one of the following optional tasks in this section, depending on whether you want to verify IKE phase-1 or IKE phase-2 tunnels or troubleshoot your IPsec VPN:

DETAILED STEPS

For ISAKMP tunnel failures, this command displays event information. The following is sample output for this command:

Router# show crypto mib isakmp flowmib failure

vrf Global

Index: 1

Reason: peer lost

Failure time since reset: 00:07:27

Local type: ID_IPV4_ADDR

Local value: 192.0.2.1

Remote type: ID_IPV4_ADDR

Remote Value: 192.0.2.2

Local Address: 192.0.2.1

Remote Address: 192.0.2.2

Index: 2

Reason: peer lost

Failure time since reset: 00:07:27

Local type: ID_IPV4_ADDR

Local value: 192.0.3.1

Remote type: ID_IPV4_ADDR

Remote Value: 192.0.3.2

Local Address: 192.0.3.1

Remote Address: 192.0.3.2

Index: 3

Reason: peer lost

Failure time since reset: 00:07:32

Local type: ID_IPV4_ADDR

Remote type: ID_IPV4_ADDR

Remote Value: 192.0.2.2

Local Address: 192.0.2.1

Remote Address: 192.0.2.2

Step 2 show crypto mib isakmp flowmib global [vrfvrf-name]

Global ISAKMP tunnel statistics are displayed by issuing this command. The following is sample output for this command:

Router# show crypto mib isakmp flowmib global

vrf Global

Active Tunnels: 3

Previous Tunnels: 0

In octets: 2856

Out octets: 3396

In packets: 16

Out packets: 19

In packets drop: 0

Out packets drop: 0

In notifys: 4

Out notifys: 7

In P2 exchg: 3

Out P2 exchg: 6

In P2 exchg invalids: 0

Out P2 exchg invalids: 0

In P2 exchg rejects: 0

Out P2 exchg rejects: 0

In IPSEC delete: 0

Out IPSEC delete: 0

SAs locally initiated: 3

SAs locally initiated failed: 0

SAs remotely initiated failed: 0

System capacity failures: 0

Authentication failures: 0

Decrypt failures: 0

Hash failures: 0

Invalid SPI: 0

Step 3 show crypto mib isakmp flowmib history [vrfvrf-name]

For information about ISAKMP tunnels that are no longer active, this command displays event information including the reason that the tunnel was terminated. The following is sample output for this command:

DETAILED STEPS

Information for each active endpoint, local or remote device, associated with an IPsec phase-2 tunnel is displayed by issuing this command. The following is sample output for this command:

Router# show crypto mib ipsec flowmib endpoint

vrf Global

Index: 1

Local type: Single IP address

Local address: 192.1.2.1

Protocol: 0

Local port: 0

Remote type: Single IP address

Remote address: 192.1.2.2

Remote port: 0

Index: 2

Local type: Subnet

Local address: 192.1.3.0 255.255.255.0

Protocol: 0

Local port: 0

Remote type: Subnet

Remote address: 192.1.3.0 255.255.255.0

Remote port: 0

Step 2 show crypto mib ipsec flowmib failure [vrfvrf-name]

For ISAKMP tunnel failures, this command displays event information. The following is sample output for this command:

Router# show crypto mib ipsec flowmib failure

vrf Global

Index: 1

Reason: Operation request

Failure time since reset: 00:25:18

Src address: 192.1.2.1

Destination address: 192.1.2.2

SPI: 0

Step 3 show crypto mib ipsec flowmib global [vrfvrf-name]

Global IKE phase-2 tunnel statistics are displayed by issuing this command. The following is sample output for this command:

Router# show crypto mib ipsec flowmib global

vrf Global

Active Tunnels: 2

Previous Tunnels: 0

In octets: 800

Out octets: 1408

In packets: 8

Out packets: 8

Uncompressed encrypted bytes: 1408

In packets drops: 0

Out packets drops: 2

In replay drops: 0

In authentications: 8

Out authentications: 8

In decrypts: 8

Out encrypts: 8

Compressed bytes: 0

Uncompressed bytes: 0

In uncompressed bytes: 0

Out uncompressed bytes: 0

In decrypt failures: 0

Out encrypt failures: 0

No SA failures: 0

! Number of SA Failures.

Protocol use failures: 0

System capacity failures: 0

In authentication failures: 0

Out authentication failures: 0

Step 4 show crypto mib ipsec flowmib history [vrfvrf-name]

For information about IKE phase-2 tunnels that are no longer active, this command displays event information including the reason that the tunnel was terminated. The following is sample output for this command:

Router# show crypto mib ipsec flowmib history

vrf Global

Reason: Operation request

Index: 1

Local address: 192.1.2.1

Remote address: 192.1.2.2

IPSEC keying: IKE

Encapsulation mode: 1

Lifetime (KB): 4608000

Lifetime (Sec): 3600

Active time: 00:24:32

Lifetime threshold (KB): 423559168

Lifetime threshold (Sec): 3590000

Total number of refreshes: 0

Expired SA instances: 4

Current SA instances: 4

In SA DH group: 1

In sa encrypt algorithm des

In SA auth algorithm: rsig

In SA ESP auth algo: ESP_HMAC_SHA

In SA uncompress algorithm: None

Out SA DH group: 1

Out SA encryption algorithm: des

Out SA auth algorithm: ESP_HMAC_SHA

Out SA ESP auth algorithm: ESP_HMAC_SHA

Out SA uncompress algorithm: None

In octets: 400

Decompressed octets: 400

In packets: 4

In drops: 0

In replay drops: 0

In authentications: 4

In authentication failures: 0

In decrypts: 4

In decrypt failures: 0

Out octets: 704

Out uncompressed octets: 704

Out packets: 4

Out drops: 1

Out authentications: 4

Out authentication failures: 0

Out encryptions: 4

Out encryption failures: 0

Compressed octets: 0

Decompressed octets: 0

Out uncompressed octets: 704

Step 5 show crypto mib ipsec flowmib spi [vrfvrf-name]

The security protection index (SPI) table contains an entry for each active and expiring security IKE phase-2 association. The following is sample output for this command, which displays the SPI table:

For active IKE phase-2 tunnels, this command displays tunnel statistics. The following is sample output for this command:

Router# show crypto mib ipsec flowmib tunnel

vrf Global

Index: 1

Local address: 192.0.2.1

Remote address: 192.0.2.2

IPSEC keying: IKE

Encapsulation mode: 1

Lifetime (KB): 4608000

Lifetime (Sec): 3600

Active time: 00:05:46

Lifetime threshold (KB): 64

Lifetime threshold (Sec): 10

Total number of refreshes: 0

Expired SA instances: 0

Current SA instances: 4

In SA DH group: 1

In sa encrypt algorithm: des

In SA auth algorithm: rsig

In SA ESP auth algo: ESP_HMAC_SHA

In SA uncompress algorithm: None

Out SA DH group: 1

Out SA encryption algorithm: des

Out SA auth algorithm: ESP_HMAC_SHA

Out SA ESP auth algorithm: ESP_HMAC_SHA

Out SA uncompress algorithm: None

In octets: 400

Decompressed octets: 400

In packets: 4

In drops: 0

In replay drops: 0

In authentications: 4

In authentication failures: 0

In decrypts: 4

In decrypt failures: 0

Out octets: 704

Out uncompressed octets: 704

Out packets: 4

Out drops: 1

Out authentications: 4

Out authentication failures: 0

Out encryptions: 4

Out encryption failures: 0

Compressed octets: 0

Decompressed octets: 0

Out uncompressed octets: 704

Troubleshooting IPsec VPNs

The show tech-support ipsec command simplifies the collection of the IPsec related information if you are troubleshooting a problem.

SUMMARY STEPS

1. show tech-support ipsec [peeripv4address | vrfvrf-name]

DETAILED STEPS

Step 1 show tech-support ipsec

There are three variations of the show tech-support ipsec command:

•show tech-support ipsec

•show tech-support ipsecpeeripv4address

•show tech-support ipsecvrfvrf-name

For a sample display of the output from the show tech-support ipsec command for the individual show commands listed below for each variation see the "Related Documents" section.

Output of the show tech-support ipsec Command

If you enter the show tech-support ipsec command without any keywords, the command output displays the following show commands, in order of output:

•show version

•show running-config

•show crypto isakmp sa count

•show crypto ipsec sa count

•show crypto session summary

•show crypto session detail

•show crypto isakmp sa detail

•show crypto ipsec sa detail

•show crypto isakmp peers

•show crypto ruleset detail

•show processes memory | include Crypto IKMP

•show processes cpu | include Crypto IKMP

•show crypto eli

•show crypto engine accelerator statistic

Output of the show tech-support ipsec peer Command

If you enter the show tech-support ipsec command with the peer keyword and the ipv4address argument, the output displays the following show commands, in order of output for the specified peer:

•show version

•show running-config

•show crypto session remoteipv4addressdetail

•show crypto isakmp sa peeripv4address detail

•show crypto ipsec sa peeripv4address detail

•show crypto isakmp peersipv4address

•show crypto ruleset detail

•show processes memory | include Crypto IKMP

•show processes cpu | include Crypto IKMP

•show crypto eli

•show crypto engine accelerator statistic

Output of the show tech-support ipsec vrf Command

If you enter the show tech-support ipsec command with the vrf keyword and the vrf-name argument, the output displays the following show commands, in order of output for the specified Virtual Routing and Forwarding (VRF):

•show version

•show running-config

•show crypto isakmp sa count vrfvrf-name

•show crypto ipsec sa count vrfvrf-name

•show crypto session ivrfivrf-namedetail

•show crypto session fvrffvrf-namedetail

•show crypto isakmp savrfvrf-namedetail

•show crypto ipsec sa vrfvrf-namedetail

•show crypto ruleset detail

•show processes memory | include Crypto IKMP

•show processes cpu | include Crypto IKMP

•show crypto eli

•show crypto engine accelerator statistic

Configuration Examples for IPsec Usability Enhancements

IKE Default Policies: Example

In the following example, crypto maps are configured on RouterA and RouterB and default IKE policies are in use. Traffic is routed from Pagent A to Pagent B. Checking the system log on Peer A and Peer B confirms that the default IKE policies are in use on both peers (see Figure 1).

Default Transform Sets: Example

In the following example, static crypto maps are configured on RouterA and dynamic crypto maps are configured on RouterB. Traffic is routed from Pagent A to Pagent B. The IPsec SAs negotiate with default transform sets and the traffic is encrypted. Executing the show crypto map command on both peers verifies that the default transform sets are in use (see Figure 1).

MIBs

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

Feature Information for IPsec Usability Enhancements

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 3 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Table 3 Feature Information for IPsec Usability Enhancements

Feature Name

Releases

Feature Information

IPsec Usability Enhancements

12.4(20)T

Cisco IOS XE Release 2.4

The IPsec Usability Enhancements feature introduces functionality that eases the configuration and monitoring of your IPsec virtual private network (VPN). Benefits of this feature include intelligent defaults for IPsec and Internet Key Exchange (IKE) and the ability to easily verify and troubleshoot IPsec VPNs.

In Cisco IOS Release XE 2.4, this feature was implemented on the Cisco ASR 1000 series routers.

Glossary

peer—In the context of this module, a router or other device that participates in IPsec.

SA—security association. Description of how two or more entities use security services in the context of a particular security protocol (AH or ESP) to communicate securely on behalf of a particular data flow. The transform and the shared secret keys are used for protecting the traffic.

transform—List of operations performed on a dataflow to provide data authentication, data confidentiality, and data compression. For example, one transform is the ESP protocol with the HMAC-MD5 authentication algorithm; another transform is the AH protocol with the 56-bit DES encryption algorithm and the ESP protocol with the HMAC-SHA authentication algorithm.

tunnel—In the context of this module, a secure communication path between two peers, such as two routers. It does not refer to using IPsec in tunnel mode.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.